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CLAIMS 



We claim: 

1 . A method for modifying group membership, comprising the steps of: 
5 receiving a request to add a first entity to a first group; 

accessing an indication of a first policy from a set of policies for changing 
static membership of said first group; and 

adding said first entity to said first group as a static member based on said first 

policy. 



10 



2. A method according to claim 1, wherein: 
said request is for said first entity. 

3. A method according to claim 1, wherein: 

said indication is stored in an attribute of an identity profile for said first 



group. 



4. A method according to claim 1, wherein: 

said set of policies includes an open policy, an open with filter policy, a 
20 controlled through workflow policy, and a closed policy. 

5. A method according to claim 4, wherein: 

said identity profile for said first group includes a filter attribute, said filter 
attribute stores a filter that is used with said open with filter policy to determine 
25 whether said first entity may be added to said first group. 

6. A method according to claim 4, wherein: 
said request is from said first entity. 

30 7. A method according to claim 4, wherein: 

said controlled through workflow policy requires that workflows be used to 
add entities to said first group and remove entities from said first group. 
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8. A method according to claim 4, wherein: 

if said first policy is said controlled through workflow policy, then said first 
entity will be not be added to said first group if said first entity is not a participant in a 
5 first step of a workflow associated with said controlled through workflow policy. 

9. A method according to claim 4, wherein: 

said closed policy prevents entities from subscribing to and unsubscribing 
from said first group. 

10 

10. A method according to claim 4, further comprising the steps of: 
receiving a request from said first entity to unsubscribe from said first group; 
accessing said indication of said first policy; and 

unsubscribing said first entity from said first, based on said first policy. 

15 

11. A method according to claim 1 , wherein: 

said indication is stored in an attribute of an identity profile for said first 

group; 

said identity profile for said first group includes an attribute that stores an 
20 indication of whether to send a message upon adding said first entity to said first 
group; and 

said identity profile for said first group includes an attribute that stores said 
message. 

25 12. A method according to claim 1, wherein: 

said first group is a member of a second group; 

said first policy may not be less restrictive than a policy for changing static 
membership of said second group; and 

said step of adding said first entity to said first group provides said first entity 
30 with membership privileges in said second group. 

13. A method according to claim 1, wherein: 
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said steps of receiving, accessing and adding are performed by an integrated 
identity and access system. 

14. A method according to claim 13, wherein: 

said integrated identity and access system is capable of authorizing said first 
entity to access a resource based on membership in said first group. 

15. A method according to claim 1 , wherein: 
said request is for said first entity; and 

said indication is stored in an attribute of an identity profile for said first 

group. 

16. A method according to claim 1 , wherein: 
said request is from said first entity; 

said indication is stored in an attribute of an identity profile for said first 
group; and 

said set of policies includes an open policy, an open with filter policy, a 
controlled through workflow policy, and a closed policy. 

17. A method according to claim 1, wherein: 

said step of adding includes determining whether to add said first entity to said 
first group based on said first policy. 

18. A method for modifying group membership, comprising the steps of: 
receiving a request to remove a first static member from a first group; 
accessing an indication of a first policy from a set of policies for changing 

static membership of said first group; and 

removing said first static member from said first group based on said first 

policy. 

19. A method according to claim 18, wherein: 
said request is from said first entity. 
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20. A method according to claim 18, wherein: 

said indication is stored in an attribute of an identity profile for said first 

group. 

5 

21 . A method according to claim 1 8, wherein: 

said set of policies includes an open policy, an open with filter policy, a 
controlled through workflow policy, and a closed policy. 



10 22 . A method according to claim 1 8 , wherein: 

said request is from said first entity; 

said indication is stored in an attribute of an identity profile for said first 
group; and 

said set of policies includes an open policy, an open with filter policy, a 
15 controlled through workflow policy, and a closed policy. 



23 . A method according to claim 1 8, wherein: 
said first group is a member of a second group; 

said first policy may not be less restrictive than a policy for changing static 
20 membership of said second group; and 

said step of removing said first entity has an effect of removing said first entity 
from said second group. 

24. One or more processor readable storage devices having processor 
25 readable code embodied on said processor readable storage devices, said processor 

readable code for programming one or more processors to perform a method 
comprising the steps of: 

receiving a request to add a first entity to a first group; 

accessing an indication of a first policy from a set of policies for changing 
30 static membership of said first group; and 

adding said first entity to said first group as a static member based on said first 

policy. 
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25. One or more processor readable storage devices according to claim 24, 
wherein: 

said request is from said first entity. 

5 

26. One or more processor readable storage devices according to claim 24, 
wherein: 

said indication is stored in an attribute of an identity profile for said first 

group. 

10 

27. One or more processor readable storage devices according to claim 24, 
wherein: 

said set of policies includes an open policy, an open with filter policy, a 
controlled through workflow policy, and a closed policy. 

15 

28. One or more processor readable storage devices according to claim 24, 
wherein: 

said request is from said first entity; 

said indication is stored in an attribute of an identity profile for said first 
20 group; and 

said set of policies includes an open policy, an open with filter policy, a 
controlled through workflow policy, and a closed policy. 

29. One or more processor readable storage devices according to claim 24, 
25 wherein: 

said first group is a member of a second group; 

said first policy may not be less restrictive than a policy for changing static 
membership of said second group; and 

said step of adding said first entity to said first group provides said first entity 
30 with membership privileges in said second group. 

30. One or more processor readable storage devices according to claim 24, 
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wherein: 

said steps of receiving, accessing and adding are performed by an integrated 
identity and access system. 

5 31. One or more processor readable storage devices having processor 

readable code embodied on said processor readable storage devices, said processor 
readable code for programming one or more processors to perform a method 
comprising the steps of: 

receiving a request to remove a first static member from a first group; 
1 0 accessing an indication of a first policy from a set of policies for changing 

static membership of said first group; and 

removing said first static member from said first group based on said first 

policy. 

15 32. One or more processor readable storage devices according to claim 31, 

wherein: 

said request is from said first entity. 

33. One or more processor readable storage devices according to claim 31, 
20 wherein: 

said indication is stored in an attribute of an identity profile for said first 

group. 

34. One or more processor readable storage devices according to claim 31, 
25 wherein: 

said set of policies includes an open policy, an open with filter policy, a 
controlled through workflow policy, and a closed policy. 

35. One or more processor readable storage devices according to claim 31, 
30 wherein: 

said request is for said first entity; 

said indication is stored in an attribute of an identity profile for said first 
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group; and 

said set of policies includes an open policy, an open with filter policy, a 
controlled through workflow policy, and a closed policy. 

36. One or more processor readable storage devices according to claim 31, 
wherein: 

said first group is a member of a second group; 

said first policy may not be less restrictive than a policy for changing static 
membership of said second group; and 

said step of removing said first entity has an effect of removing said first entity 
from said second group. 

37. An apparatus that can modify group membership, comprising: 
a communication interface; and 

one or more processors in communication with said communication interface, 
said one or more processors perform a method comprising the steps of: 
receiving a request to add a first entity to a first group, 
accessing an indication of a first policy from a set of policies for 
changing static membership of said first group, and 

adding said first entity to said first group as a static member based on 
said first policy. 

38. An apparatus according to claim 37, wherein: 
said request is from said first entity; 

said indication is stored in an attribute of an identity profile for said first 
group; and 

said set of policies includes an open policy, an open with filter policy, a 
controlled through workflow policy, and a closed policy. 

39. An apparatus according to claim 37, wherein: 
said first group is a member of a second group; 

said first policy may not be less restrictive than a policy for changing static 
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membership of said second group; and 

said step of adding said first entity to said first group provides said first entity 
with membership privileges in said second group. 

5 40. An apparatus that can modify group membership, comprising: 

a communication interface; and 

one or more processors in communication with said communication interface, 
said one or more processors perform a method comprising the steps of: 

receiving a request to remove a first static member from a first group, 
10 accessing an indication of a first policy from a set of policies for 

changing static membership of said first group, and 

removing said first static member from said first group based on said 

first policy. 

15 41 . An apparatus according to claim 40, wherein: 

said request is from said first entity; 

said indication is stored in an attribute of an identity profile for said first 
group; and 

said set of policies includes an open policy, an open with filter policy, a 
20 controlled through workflow policy, and a closed policy. 

42. An apparatus according to claim 40, wherein: 
said first group is a member of a second group; 

said first policy may not be less restrictive than a policy for changing static 
25 membership of said second group; and 

said step of removing said first entity has an effect of removing said first entity 
from said second group. 
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